Protecting customer data is a top priority for businesses. Security regulations and regular compliance audits aim to help businesses safeguard their data in the face of increasingly sophisticated cyber attacks, but as we've heard from many IBM Z clients, remaining in compliance can be challenging and heavily resource intensive. Initial IBM user research suggests that audits can take 30-90 days on average and between 6-12 skilled IT professionals to complete[1]. Plus, compliance requirements are ever-changing to keep up with the needs of a complex world. These regulations are often written for distributed computing environments so demonstrating compliance involves interpretation and mapping to mainframe environments. Auditors and organization's deep IBM Z expertise are limited, which can lead to gaps in evidence collection and increased risk of security oversights. Mainframe owners need a solution that can reduce the time and skill required to prepare for audits, translate regulations for an IBM Z environment, and put auditors at ease that requirements are being met.
Today, we're excited to introduce the IBM Z Security and Compliance Center, a new software product designed to help simplify and streamline compliance tasks[2]. The product works through an integrated set of microservices that collects data from participating IBM components, which allows you to check your z/OS and Linux on Z settings for compliance against industry security standards and generates reports for auditing purposes. Robert Miller, Senior Manager at Deloitte, says: "Regulatory requirements that IBM Z owners face are increasing in complexity, making it much harder to adapt to changes and creating more work for deeply skilled staff. The IBM Z Security and Compliance Center will be a differentiator in the marketplace because it allows mainframe owners to automatically collect and validate compliance data to perform an almost continuous audit of their environment, reducing risk of audit failure and cyber intrusions."
An interactive view of compliance posture
The IBM Z Security and Compliance Center dashboard provides an interactive view of compliance posture and details, including drift view based on control deviations and detailed scan results2. Rather than spending weeks simply fulfilling data collection, you can produce helpful insights quickly, allowing you to be more proactive in strengthening your compliance posture. Through the web-based user interface, you can generate detailed reports, display the actual logic used to validate collected facts (or configuration information which facilitates compliance), and customize profiles with goals that map to a number of regulatory frameworks. You can also store your collections in a database to visualize historical facts, validate against them, and refer to historical compliance scores to track drift.
Right out of the box, the solution will offer pre-defined profiles which map to different regulatory frameworks and security benchmarks. It will feature a subset of over 300 pre-built goals, which are individual checks for validations against control and sub-control level rule changes over a period of time. With customizable profiles ready to use on day one, your team will no longer need to create ad hoc workarounds. With reports, you can see context around the severity of controls deviations from PCI-DSS, NIST SP 800-53, and CIS Benchmarks. "IBM Z Security and Compliance Center has high level reporting that executives look for, and provides a detailed mapping of regulatory frameworks to IBM Z security controls that IBM Z teams and auditors need," said one senior director.
Figure 1: The IBM Z Security and Compliance Center dashboard
Automation reduces required resources and timelines
In a world where skilled professionals are becoming increasingly difficult to find, automation is a necessary next step in your journey to continuous compliance. IBM's 2021 Cost of a Data Breach report found that security AI and automation was the biggest positive factor in mitigating the cost of a data breach, representing a difference of $3.81 million, nearly 80%, in breach costs at organizations with mature deployment of security automation versus those without. The IBM Z Security and Compliance Center automates the collection of compliance-related facts, ultimately reducing audit preparation timelines and skills needed to execute. "When my team prepares for an audit today, it takes weeks for skilled individuals to slice and dice SMF records to produce the information auditors need," said one senior technical specialist. "IBM Z Security and Compliance Center will save significant time and reduce our reliance on experts."
When it's time to conduct a scan, the collector microservice can be configured via the interface to automatically send an ENF signal to all compatible IBM Z Components, which in turn triggers them to generate compliance data in enhanced z/OS SMF records and Linux facts. When sponsor clients and partners put this into practice, their projected time-savings on audit preparation was over 55% on average1. Compliance automation not only saves time, but precious labor resources as well. Initial user research shows that through automation provided by the IBM Z Security and Compliance Center, the need for IT expertise will be reduced by over 40%1. With the aid of automation, your team's resources can be re-dedicated to other core business efforts as opposed to being tied up with the auditing process.
Figure 2: How posture management components work together
Get the IBM Z Security and Compliance Center for your IBM z16 system
The IBM Z Security and Compliance Center will be available for IBM z16 on May 27th, 2022. Learn more about the IBM Z Security and Compliance Center by downloading the solution brief, and explore the steps to get started in the Content Solution.
[1] The survey consisted of 8 responses across 5 unique customers. Sourced from the IBM Z Security and Compliance Center Sponsor User Program and IBM Z Design Council.
[2] IBM does not ensure regulatory compliance. The intent is to provide a point in time statement of your current posture for a specific group of resources. The responsibility of ensuring systems are configured in accordance with regulatory controls is on the individual businesses who are using the IBM Z Security and Compliance Center and IBM does not take responsibility for any compliance oversights or penalties associated with data breaches.